Skip to main content

WatchGuard Firewall IPv6 Security Hole

By August 27, 2019September 23rd, 2020Blog, Cisco, Networking
security vulnerability

I found an issue after replacing a WatchGuard firewall with a Cisco ASA 5516x. The WatchGuard was only configured with IPv4 on all of its interfaces. No IPv6 addresses were setup on any of its interfaces.

I even went back afterwards to validate that IPv6 was not setup on the firewall. The problem is that the WatchGuard firewall was still forwarding IPv6 traffic out and back in. This meant that the firewall had traffic that wasn’t supposed to be allowed, but IPv6 traffic was allowed.

Anytime you have traffic that you cannot control in a network, it is a gaping security hole.

So how we found the issue.  After replacing the WatchGuard, the customer started complaining about the slowness of their Internet connection. After a little bit of troubleshooting, we found that DNS was timing out twice and then would resolve. This would slow each connection done by DNS name down by 4 seconds.

To the average user, this gave the appearance of a slower connection.

While checking out the internal DNS server, which was a Windows Domain Controller running DNS, we found that the DNS server was bound to the IPv6 address on the server. The network was only supposed to be on IPv4, with no IPv6 running across it (yeah, I know Microsoft is pushing to use IPv6 and quickly switching over it).

But the IPv6 was being used and when the WatchGuard firewall was connected, it was using IPv6 to do DNS resolution. Even though it worked, IPv6 was both unwanted and unfiltered. We quickly removed the IPv6 binding on the DNS server, and the name resolution returned to normal.

While having an extra protocol on the network that is working seems like a good thing.  Having uncontrolled access either in or out of a corporate/enterprise network is an extremely bad thing.  It means you have no control point(s).  This means you have lost control of the corporate data and information.

Beware if a device is easy to setup, it is making many assumptions.

Typically, if a device is open for every environment, it is most likely lacking in security. For a firewall, this means that it isn’t really doing its job.  It is just giving the appearance that it is working.  Which is not what any business really wants out of their security.

Jason Howe, PEI

Leave a Reply